EDUCATING THE FRAUDSTER
CREDIT CARD FRAUD - A DEFINITION
Unauthorised account activity by a person for which the account was not intended. Operationally, this is an event for which action can be taken to stop the abuse in progress and incorporate risk management practices to protect against similar actions in the future.
OVERVIEW
High street retailers have been battling fraud for years and, in doing so, have developed methods to deter fraud. These merchants train their staff to perform simple checks to ensure the validity of the consumer's identity. Workers can compare the signature on the back of a credit card against the signature on the credit card receipt and for further verification can/may ask for photo Identification. Merchants are further protected from the pitfalls of fraud by the nature of the card present environment. Card present means the credit card is physically present during the purchase. When a dispute occurs in this environment, and the merchant has properly collected the consumer's signature on the credit card receipt, the consumer's credit card company will most likely absorb the disputed amount based on the rules established by the credit card institutions. However, in the Internet arena, merchants don't have the advantages that physical world merchants enjoy. First, it is impossible to collect a valid and acceptable signature of a consumer, let alone a photo ID. In fact, it is almost impossible to perform any of the "physical world" checks necessary to detect who is at the other end of the transaction and to conform to the protections in the card institution's rules. This makes the Internet extremely attractive to fraud perpetrators and a huge problem for Internet merchants. Purchases made over the Internet are considered by financial institutions to be card-not-present transactions (CNP). This means the credit card is not physically present during the purchase. This type of transaction is similar to a MOTO (mail order/telephone order) transaction. If a dispute occurs over a charge in this environment, and the transaction is found to be fraudulent, the merchant, not the bank, is responsible for reimbursing the entire disputed amount to the consumer or the consumer's credit card company. In addition to reimbursing the cost of the purchase to the consumer, the merchant is also responsible for the cost of replacing the lost merchandise, shipping costs, and any incurred bank chargeback fees and transaction fees. A chargeback is the cost of transferring financial responsibility to the merchants involved in cases of disputed charges - usually $20 to $35 per transaction. It seems unfair that Internet merchants are treated so harshly when it comes to fraud. Unfortunately, it is the nature of the business, since fraud is so easily performed on the Internet. It is the explosion of fraudulent transactions over the Web that contributes to how fraud is handled. According to the Gartner Group, the rate at which Internet fraud occurs is a rate twelve times higher than physical world fraud. The monstrous cost of Internet fraud has to be assumed by someone. Since credit card issuers are most concerned about pleasing their customers and protecting the integrity of their brand names, they will continue to penalise anyone who jeopardizes these two things. In the eyes of the credit card companies, this is the responsibility of the merchant. In many instances, to compound the problem, financial institutions have begun cracking down on merchants who have high occurrences of chargebacks. Because of this, many merchants are quickly finding themselves in situations where they are required to pay higher transaction fees and, in some cases, are being charged costly fines of anywhere between $5,000 and $50,000 per month.
The Offlode™ Solution
1
�The worst result of this crackdown is the loss of merchant account privileges for merchants considered being high risk (usually with a chargeback rate of 2.5% or more of their total transactions). This is frequently a fatal blow for merchants, because it is extremely difficult to get a merchant account reinstated once privileges are lost.
WHO IS AT RISK?
Unfortunately, occurrences of online fraud are only increasing. From 1997 to 1998 there was a 600% increase in reported Internet fraud and in the first half of 1999 there were more than the whole of 1998. With much more sophisticated ‘weaponry’ of today this has increased to estimates of $2 billion1 in the US alone. Although all Internet sites are at risk of fraud, there are certain categories that are targeted more often than others. Companies who sell digital goods or memberships are more at risk for fraud because no postal address is required to complete delivery2. These purchases are downloaded to the consumer's computer. According to a study performed by the Gartner Group, the average chargeback rate for Internet merchants who sell digital goods is 15% of their total transactions, with the rate for some merchants reaching as high as 30%. Also, goods easily traded for cash (such as electronic devices and computer equipment) are popular targets for fraud as are porn and gambling sites.
HOW IS INTERNET CREDIT CARD FRAUD BEING PERFORMED?
The most common way Internet fraud is committed is through the use of credit cards. This is because approximately 98% of online transactions originate from credit cards. Credit card use where the physical card is not present at the point of sale (POS) brings its own set of challenges. Within the payment cards industry this is referred to as the MOTO arena. MOTO transactions are card-not-present (CNP) transactions and include the use of credit cards on the Internet. These transactions share the fundamental problem of authentication, the ability to verify that the purchaser is actually the cardholder. The true MOTO environment offers at least some level of authentication assurance. Most MOTO purchases are made up from directed mail of a catalogue to a specific address with a customer ID number. This information is used by the merchant to verify that the caller is associated with the catalogue mailing address and customer number.
Some facts about Internet fraud • • • • Internet transaction fraud is twelve times higher than in-store fraud. As a result, merchants pay a heftier price for card-not-present sales. In 2001, some $700 million in revenue was lost, representing 1.14% of $61.8 billion in online sales. In 2000, online fraud losses were 1.13% of $44.2 billion in annual online sales. One in six online consumers has been the victim of credit card fraud; one in twelve has been hit with identity theft. While screening for fraud, merchants reject an estimated $1.2 billion in valid sales due to suspicious transaction characteristics.
1 Recently the Wall Street Journal reported that credit card fraud in 2002 reached $1.8 billion and is estimated to grow to $2.2 billion in 2003. Much of this growth is attributed to the expanding share of online and other card-not-present transactions. “Such purchases now account for 25% of all credit-card transactions, MasterCard says. The percentage of these transactions that are fraudulent is much higher than it is for traditional card purchases. On the Web, for example, creditcard fraud as a percentage of all transactions is 2.1%, compared with 0.1% of all traditional card purchases. 2
Refer Appendix – Case Study Nick Davies 2
The Offlode™ Solution
�In the Internet there is no such connection. The order flows anonymously from a computer that can be located anywhere with no ability for the merchant to authenticate that the card number presented is associated with the actual cardholder. Right now (August 2003) there is no authentication system that has been generally adopted by all parties (credit card associations, issuers, merchants and consumers). Smart cards3 used with readers attached to computers offer one possible solution but to date there has been little interest by consumers or computer manufacturers to invest in this technology. As previously discussed issuers broadly indemnify cardholders from Internet fraud therefore there is little incentive for consumers to make such investments. Association rules allow issuers to charge back these fraudulent transactions to the merchants, which further diffuses the incentives to tackle the problem. Because of this, many different ways to perform online credit card fraud have been devised. The most common methods used include identity theft, stolen credit card numbers, and credit card number generators. Although these are the most popular methods today, fraud is constantly evolving and fraud perpetrators are becoming more sophisticated as merchants and banks create new ways to combat fraud. The US Banker in December 2001 highlighted another factor in a report on cyber-fraud entitled, ‘I didn’t do it’ where it described the high incidence of Internet fraud transactions that are classified as ‘familiar fraud’. This is where a transaction may be legitimately initiated by the cardholder for a product that could be considered dubious in nature, (i.e. – pornography on the Internet). When confronted by a family member the individual may deny knowledge of the transaction and then report it as fraud. A legitimately billed transaction can then be reported as “never received” and reversed by the issuing bank. The report suggested that up to half of all on fraud could account for this.
Identity Theft
By acquiring basic personal information, fraud perpetrators can impersonate consumers and apply for credit cards in their names. From there, email accounts using one of the free email providers (such as Yahoo! and MSN Hotmail) can be created to strengthen the impersonation. The new card numbers, along with matching email addresses, can then be used to make fraudulent purchases on the Internet that seem legitimate.
3 The smart card is an innovative application that involves all aspects of cryptography (secret codes), not just authentication. A smart card has a microprocessor built into the card itself. Cryptography is essential to the functioning of these cards in several ways: • The user must corroborate his identity to the card each time a transaction is made, in much the same way that a PIN is used with an ATM. • The card and the card reader execute a sequence of encrypted sign/countersign-like exchanges to verify that each is dealing with a legitimate counterpart. • Once this has been established, the transaction itself is carried out in encrypted form to prevent anyone, including the cardholder or the merchant whose card reader is involved, from "eavesdropping" on the exchange and later impersonating either party to defraud the system. This elaborate protocol is conducted in such a way that it is invisible to the user, except for the necessity of entering a PIN to begin the transaction. Smart cards first saw general use in France in 1984. They are now hot commodities that are expected to replace the simple plastic cards most of us use now. Visa and MasterCard are leading the way in the United States with their smart card technologies. The chips in these cards are capable of many kinds of transactions. The enhanced memory and processing capacity of the smart card is many times that of traditional magnetic-stripe cards and can accommodate several different applications on a single card. It can also hold identification information, keep track of your participation in an affinity (loyalty) program or provide access to your office. Experts say that internationally accepted smart cards will be increasingly available over the next several years. Many parts of the world already use them, but their reach is limited. The smart card will eventually be available to anyone who wants one, but for now, it's available mostly to those participating in special programs.
The Offlode™ Solution
3
�Stolen Credit Card Numbers
Stealing credit card numbers is probably the easiest and most common way fraud is performed. Surprisingly to some, there are no known cases of credit card numbers being stolen in transit over the Internet, but rather the majority of the stolen card numbers used on the Internet come from the physical world. Fraud perpetrators can pick up old receipts or statements, or can even be a waiter or waitress who processes your dinner bill. Also, in many cases, not only is a customer's credit card number available, but also various verification information, such as the consumer's billing information. This information4, coupled with the stolen number, can make for a seemingly legitimate purchase.
Card Number Generators
These are free programs that are widely available on the Internet – CreditMaster and Credit Wizard are but two. Card number generators are used by perpetrators to generate sequences of 16 digit credit card numbers from valid Bank Identification Numbers (BIN’s). This enables the criminal to quickly transact multiple fraudulent sales from online merchants whose security does not block sales to sequential numbers. These synthesised credit card numbers pass the majority of merchant and bank checks. Again, combined with free email accounts, these numbers can be used to make fraudulent purchases seem legitimate.
WHAT CAN BE DONE?
With all the obstacles that merchants face - financial and product losses, fines, indifference and outright opposition from financial institutions, growing instances of Internet fraud, and technological advancements in perpetrating fraud - it's easy for merchants to feel victimised and helpless. It is these obstacles that are driving merchants to become more wary of fraud, and more interested in finding solutions to combat fraud. More and more merchants and merchant-focused companies are creating solutions to help cut down on fraudulent transactions and lower merchant chargeback rates. Some of the more popular solutions include manual order review, simple rule systems, Address Verification System (AVS), Card Verification Value 2 (CVV2), account masking software and negative databases. Unfortunately, there are several problems with these methods that many solution-seeking merchants are unaware of. These methods allow the merchant to think they are "doing something" to eradicate fraud, leading to a false sense of security and an unintentional increase in the number of valid purchases rejected. It is easy to eliminate fraud if the merchant is willing to sacrifice sales.5
Manual Order Review
This method consists of reviewing every transaction by hand for signs of fraudulence, and involves an exceedingly high level of human intervention. This can prove to be extremely costly, as well as very time consuming. Moreover, manual order review is unable to detect some of the more prevalent patterns of fraud, which involve the use of a single credit card multiple times on multiple sites in the span of a few minutes. Also, as the merchant's business grows, this solution is not scalable, since it requires the addition of more manpower and more man-hours (and the increased costs associated with these additions) to be devoted to the solution.
Simple Rules System
Simple rule systems involve the creation of - if...then… - criteria that a merchant can compare against incoming transactions. For instance, a merchant using a simple rule system might decide to reject orders originating from free email services or from a foreign country or in a particular time zone (say between 2 and 5am) The disadvantage of this solution is that it can increase the probability of rejecting valid transactions. This not only causes loss of sales, but can also cost the future patronage of disgruntled consumers.
4 5
Refer appendix – Types of Fraud and ways of obtaining information While screening for fraud, merchants reject an estimated $1.2 billion in valid sales due to suspicious transaction characteristics 4
The Offlode™ Solution
�AVS
AVS matches the first five digits of the street address and the ZIP code information from the cardholder's collected billing address to the corresponding billing information on record with the card issuers. A code representing the level of match between these addresses is returned to the merchant. However, AVS codes are not returned to merchants until after they have completed processing an authorization. This means that in order to reject the transaction based on the AVS response, the merchant must reverse the authorization, which results in additional processing fees and additional human intervention. AVS is not available for international cards and some domestic card issuers.
CVV2
The set of 3 digits found on the reverse of most credit cards is unique to that card. Merchants that require Internet customers to enter this value along with the actual card number add a layer of security to the transaction. Since the three-digit number can only be found on the card itself there is greater likelihood that the purchaser is actually in possession of the card. Stolen receipts, for example, would not reveal the card’s three-digit verification value. However if the card has been stolen this is obviously not an effective preventative measure.
Masking Software
This is another new method being employed to control Internet fraud. The key element of this process is a single use number for each transaction. A handful of issuers have added this extra step into the online shopping process. Generally after the consumer has selected their items for purchase and is ready to ‘checkout’ they then log on to their card issuer’s web site. On the web site they select the card they wish to use to pay for the purchase. At this point a unique credit card number and expiration date is created and used to finish the online purchase. Uptake and acceptance of these programs has been very limited.
Negative Data Bases
Merchants who maintain negative databases create a log of credit card numbers involved in past fraudulent transactions on the merchant's site. The negative database can also keep track of other information, such as physical or email addresses previously used in fraudulent transactions. This information is then compared against incoming orders. Unfortunately, if a credit card is established as stolen or it is used in a fraudulent transaction, it will most likely have been canceled, causing the negative database to be constantly out of date and consequently not of much use to the merchant.
CONCLUSION
An important underlying factor with fraud on the Internet is that it is the merchants and not the issuing banks that are accountable for most, if not all, of the card-not-present fraud. Therefore there is no strong coalition among the players involved to find a solution to beat the CNP fraud. Merchants, who have the largest incentive to do something, are not likely to invest the time and money required for implementation until there is an agreement on a specific program by all the parties involved – credit card organisations, issuers, merchants and the consumers). Anecdotally, it is the consumers that are also unwilling to accept the inconvenience associated with the added steps. There is suggestion that consumers are simply not that concerned about using credit cards on the Internet.
WHAT ARE THE SOLUTIONS? – AN IDEAL WORLD
If merchants were left to devise a solution to the problem of fraud, it would ideally consist of the ability to identify and rule out fraudulent transactions (keeping their chargeback rates low) without ruling out any legitimate transactions (keeping their revenues high). This solution would have the ability to detect and rate the risk involved in accepting a transaction using real, tangible data. Merchants could then decide, based on that data, if they want to accept the transaction. This solution would also utilise an extensive database of information to identify fraud, and have the ability to learn fraud trends and apply that knowledge to improving the solution.
The Offlode™ Solution
5
�In addition, this ideal solution would encompass a system where hundreds of thousands of merchants, across multiple providers, would share fraud data. For example, if a fraud perpetrator were to use a credit card at Site A, it would be ideal if Site B knew about the transaction in real time, before the perpetrator had a chance to move on to Site B. There are companies specialising in providing software to try combat this problem. These however focus on the merchant. With recent developments in CNP transactions, given the sophistication that the criminals have, the fraudulent dealings are not just random, single and targeted transactions they are orchestrated, high volume, complex and extremely expensive attacks. Recent increases in these types of attack have seen fraud double in volume monthly. This is a major concern to the progressive banks who now require a speedy resolution to the issue. What are we talking about?
BIN ATTACKS
OVERVIEW
A new phenomenon where a whole range of similar card numbers are used on the Internet fraudulently. The cardholder will usually still be in possession of their card, but their card number and expiry date are being used without their knowledge (Card-not-present environment). The typical Internet retailers targeted by fraudsters are electronics, gambling6, computer and communications merchants – the same as highlighted previously – also Mobile phone companies – pre-paid top-ups. There are three components to a BIN attack, they are; the fraudsters, credit card BIN numbers and a computer connected to the Internet.
The fraudsters:
Predominantly organized crime, they are criminals with a reasonable amount of knowledge regarding credit card operations.
Credit card BIN’s:
Credit cards are produced in a BIN range, therefore a lot of BIN ranges have similar, if not the same, expiry dates. Example: 9999 0000 4561 xxxx. The first six numbers define the BIN, the second six numbers define the range and the last four numbers are what the fraudsters hope to generate, to use fraudulently.
Computer with Internet access:
This is used to access sites that have credit card number generating software (see previous Card Number Generation), to test the credit cards validity (small $ amount authorisations) and to make fraudulent purchases.
6
The card is used at online casinos and any winnings are banked as ‘laundered’ money. Crime syndicates will run 24 hour multiple computer terminal operations to gamble on line with the card details until the card is blocked. 6
The Offlode™ Solution
�THE METHODS OF THE FRAUDSTERS:
Step 1 Obtain credit card details through A discarded receipt Stolen by a shop assistant By obtaining a customers statement Dumpster diving Unsecured web sites Family member Generate further card numbers The fraudster then extrapolates further legitimate card numbers from the original by using number generating software such as CreditMaster and Credit Wizard. In some cases they have extrapolated over 200 credit cards. These card numbers will usually have the same expiry date. This is because the credit cards were originally generated sequentially by the bank in the same month and the system parameters were set to produce a specific expiry date for all new account numbers for that month. • Step 4 Test card validity Each card number is then tested with a small transaction/s (typically less than $30) through an Internet or phone merchant. This confirms the cards are utilisable. The Bin Attack The fraudsters then make large purchases (generally between $300-$3000) using the card numbers that worked during testing.
Step 2:
Step 3
•
Note: The cards that failed predominantly did so due to the wrong expiry date being entered, these are usually retested using another expiry date if the original BIN attack was successful.
The Offlode™ Solution
7
�WHY ARE THE BANKS INTERESTED WHEN THE MERCHANT PAYS?
All transactions are channeled through the bank. A merchant might see his problem as a few hundred or few thousand dollars where as the bank sees the overall picture of hundreds of thousands of dollars (bigger banks – millions of dollars) monthly. But this isn’t the overriding factor. What is is the 16% of all (genuine) cardholders that are effected. It is the bank that must deal with these, and to deal with these there is only one solution - to cancel the card. People get upset (irate) when their card has to be cancelled through no fault of their own. Not only is this inconvenient but, as it usually happens when the customer makes their next purchase, it is embarrassing as well. The progressive banks now recognise this as their responsibility. It is well documented that a ‘bitten’ cardholder losses confidence in the issuer, bank and card. The cardholder is not only inconvenienced by the ‘loss’ they are reluctant to use their card for normal transactions resulting in other losses to the bank. The banks understand that if they get their act together then the perpetrators will recognise that the target is too difficult and move to an easier one – the next bank.
TRADITIONAL SOLUTION
Most banks use a rule-based system (Prism, Falcon etc) to monitor individual card number transactions. If the same card is used several times it may hit a refer rule which will then be looked at by an operator. But rulebased systems can only look at one card per time. If the fraudster only uses the card number once or twice then moves on to the next card number in sequence the system does not have the ability to pick this up as it would need to refer every legitimate Internet transaction.
THE OFFLODE™ SOLUTION
The common denominator is the first 12 digits of the card numbers (the bin number and range). The Offlode™ Solution links data by bin number. If there are several transactions at the same Merchant on more than three cards where the first 12 digits are the same, it is almost certainly a Bin attack. Therefore by highlighting these card numbers we can then check and confirm the legitimacy of the transactions.
Breakdown of the solution identifiers
The business rules: • Card not present • Same merchant within 12 or 24 hrs • Greater than 2 (Bank) cards used, must be within the same BIN range (1st 12 digits the same) Fraud risk identifiers • Merchant is overseas • Merchant has greater then 2 declined authorisations within 12 or 24 hrs, e.g. Code XX (card expiry incorrect) • Outside normal hours of local Internet use e.g. Transaction occurs 3am in the morning local time. • Customer not connected to Internet banking • Suspect merchant category code e.g. gambling site 7995 • Other
The Offlode™ Solution
8
�HOW WILL THE OFFLODE™ SOLUTION HELP PREVENT FRAUD?
The output of the Offlode™ Solution is a daily report7 identifying the fraudulent testing of card numbers. This is the stage before the real damage is created. This means the Offlode™ Solution prevents the core financial damage created by a BIN attack. Prevention of the attack can be implemented through a number of options: Blocking the card numbers that have been ‘tested’. Blocking numbers further down the sequence Applying other rules to the Merchant being used – e.g. Stopping all transactions to gambling sites in Germany, stopping all transactions from Indonesia8 Update Prism/Falcon rules for the Merchant Proactively reissue cards in the range. If the fraudster has no immediate success within a specific bin range they will move on to another and easier target. Eventually if they have no joy with one Bank BIN's they will move elsewhere. However if they are successful they will come back to the same bank and even the same BIN.
TERMINOLOGY
AVS BIN BIN Attack CNP CVV2 MOTO POS Address Verification System Bank Identification Number Bank Identification Number Attack Card-Not-Present Card Verification Value Mail Order/Telephone Order Point-of-sale
Presently working on updating to ‘real time’. As far as Indonesia, and those who live, work or visit there are concerned there is one pertinent fact about credit card fraud.
8
7
Visa International and MasterCard, the two significant service providers around the globe, currently list Indonesia as No.2 on the list of the worst countries in the world for credit card fraud occurrence by total incidents recorded. In any country the security of card information is reliant on the banks own protocols, systems and general security levels. In Indonesia the banking sector has had a troubled past. Many of the banks opened in the last ten years were personal loan facilities for corrupt businessmen. What followed were hurried mergers, Indonesia Bank Restructuring Agency (IBRA) attempts to prevent the collapse of the whole sector, and a faltering path toward normality. The recent Bank Central Asia sale illustrates that there is still a long way to go. The following is just one (refer appendix 2) of the methods used to obtain credit card numbers and associated information at present in Indonesia. Merchant Fraud and Ghost Terminals To have a card reader installed a retail outlet must reach certain criteria. These are often very basic in Indonesia and hence a fraudster can easily set up a fake or ghost operation. One method is to short term lease a shop with cash, have a reader installed giving false details and then perform maximum false transactions with compromised data and counterfeit cards in the shortest amount of time possible. This can be achieved even more easily by ‘buying out’ a failing business that already has a legitimate reader installed. Ghost terminals can be created by obtaining the reader itself, from say a failing business. With some banking knowledge the reader can be initiated with the bank under completely false details, via an automated telephone in initiation system. Once the high volume of fraudulent transactions is discovered the trail leads nowhere. The Offlode™ Solution 9
�APPENDIX
1 DELIVERY TO A PHYSICAL ADDRESS – BBC.CO.UK 10/02/2003
Nick Davies feels doubly let down. Not only has his business been ripped off for almost £4,000 by fraudsters, but he's been left to pick up the bill. Nick is a quad bike racer. He also runs a thriving Yamaha dealership in Eglwyswrw in North Pembrokeshire, UK. The business is just taking off, and staff take orders over the phone every day. Last November, while he was away on a business trip to the States, an order came in by phone for a racing quad bike, worth £3,700. Staff, as usual, keyed not only the card's number into the machine provided by Lloyds TSB Cardnet, but also the expiry date and the unique set of signature details on the card. They also keyed in the address of the cardholder and his postcode, before getting an authorisation code from the credit card company. But six weeks later Nick and Jayne Davies got a letter from Cardnet telling them the transaction had actually been fraudulent and they wanted their money back. So not only had they lost the bike, but they had to give the money back, because there's a clause in their contract which says the business must pay for "card not present fraud" - that's any fraud over the phone or internet, where the customer does buy the goods in person. This type of fraud costs businesses £95 million a year. Jayne Davies said: "Because we don't have the card holders signature, we didn't have physical sight of the card, we're not covered and therefore it's our problem, it's our loss. And in some ways we've been made to feel like the fraudulent people. You know we've put through a stolen card or a cloned card." Jayne and Nick were annoyed because it seemed to them that the credit card company was more interested in pursuing them than the fraudsters. "It's their whole attitude that's angered us more than anything. Nobody cares; no one wants to know. Oh dear, you're the business owner. It's hurt you, well you know, please pay up. And if we don't pay the money back, then they say we'll be sending a solicitors letter," said Jayne. So who are the real fraudsters. Nick and Jayne were told a Spanish bank issued the card. But the bike had been delivered to an address in Manchester. We decided it was time for X-Ray to get on the trail. The man who bought the bike over the phone gave the name Hargreaves. He was very well spoken and gave an address in the Levenshulme area of Manchester. There was no one home but the door had been wedged open, making it easy for anyone to get their hands on any post that had been delivered there. When the quad bike was delivered someone had been waiting in the street. We spoke to one of the neighbours. She told us: "It's been empty about five years now and there've been a few bailiffs round asking me if I know about anything being delivered there." Experts have told X-Ray that this has all the hallmarks of organised crime. We also called Greater Manchester Police to see if they had any information about the empty house. Then while we were filming in Levenshulme, Greater Manchester Police got in touch with Nick Davies. They told him that they had a strong suspicion that he wasn't the only victim of this gang, and they had identified some people they wished to speak to in connection with the crime. This is the only consolation for Nick, as TSB Cardnet still want their money back. They said all Cardnet customers sign an agreement that "Card-Not-Present Transactions" are at the retailers’ own risk. EVEN if the Bank has authorised the transaction. That authorisation ‘only confirms the availability of funds and that the card has not been reported lost or stolen. It's not a guarantee of payment’. They also say that before the authorisation was given the company was warned by Cardnet that they could "not verify the address". Nick Davies strongly denies this. Jayne Davies said: "It's made us think about things 'cos we just think this could happen to us on a weekly basis. We're leaving ourselves wide open to possibly £100,000 worth of fraud a year and that is frightening."
The Offlode™ Solution 10
�APPENDIX
2 TYPES OF FRAUD AND WAYS OF OBTAINING INFORMATION
Counterfeit fraud
A counterfeit card is either one that has been printed, embossed or encoded without permission from the issuer, or one that has been validly issued and then altered or re-coded. Most cases of counterfeit fraud involve skimming, a process where the genuine data on a card’s magnetic stripe is electronically copied onto another, without the legitimate cardholder’s knowledge. Skimming normally occurs at retail outlets - particularly bars and restaurants - where a corrupt employee skims a customer’s card before handing it back, then sells the information on higher up the criminal ladder where counterfeit cards are made. In other cases, the details obtained by skimming are used to carry out fraudulent card-not-present transactions. Often the cardholder is unaware of the fraud until a statement arrives showing purchases they did not make. More worryingly card details can also be obtained by ‘Chipping’ a card reader at a legitimate point of sale. Card readers need to be serviced and repaired on occasion. Cases have been discovered where a bogus service engineer attends and inserts a chip into the reader that records the card information of transactions completed on that reader. A month later the ‘service engineer’ returns and removes the chip (which now contains hundreds of card details). In addition, in countries such as Indonesia where security is less robust, the tapping of telephone lines from card readers to the host bank, or the tapping of the banks phone lines can be achieved with a modicum of technical knowledge. There is also little chance of detection. (Cardholders should always keep their card in sight when making a transaction)
Merchant Fraud and Ghost Terminals
To have a card reader installed a retail outlet must reach certain criteria. One method is to short term lease a shop with cash, have a reader installed giving false details and then perform maximum false transactions with compromised data and counterfeit cards in the shortest amount of time possible. This can be achieved even more easily by ‘buying out’ a failing business that already has a legitimate reader installed. Ghost terminals can be created by obtaining the reader itself, from say a failing business. With some banking knowledge the reader can be initiated with the bank under completely false details, via an automated telephone in initiation system. Once the high volume of fraudulent transactions is discovered the trail leads nowhere.
Card-not-present fraud
This crime involves using fraudulently obtained card details to make a purchase, usually over the telephone or on the Internet. A card, in a physical form, is not needed. Usually the details are taken from discarded receipts or copied down without the cardholder’s knowledge or obtained through either of the above. As with counterfeit fraud, the legitimate cardholder may not be aware of the fraud until a statement is received. More worrying is that criminals have been found in possession of information that has apparently been gained from the compromise of bank data. This can be obtained technically (by hacking into an insecure bank database) or with collusion of bank staff (paying them to disclose or download information). The card information is then used for a variety of non-traceable purchase options and in many cases specifically to visit on line casinos and any winnings are banked as ‘laundered’ money. Crime syndicates will run 24 hour multiple computer terminal operations to gamble on line with card details until the card is blocked.
The Offlode™ Solution
11
�